How to ensure admission control plugins are removed and will not be enforced in kubernetes?

12/1/2019

I was removed the LimitRanger admission plugin by edited the line --enable-admission-plugins= in kube-apiserver.yaml in /etc/kubernetes/manifests. Once saved the file,immediately the existing kupe-api pod kube-apiserver-master.k8s deleted and recreated automatically. Able to see the LimitRanger plugin is not listing in restarted kube-api server process

 kube-apiserver --advertise-address=192.168.56.4 --allow-privileged=true --authorization-mode=Node,RBAC --client-ca-file=/etc/kubernetes/pki/ca.crt --enable-admission-plugins=NodeRestriction --enable-bootstrap-token-auth=true --etcd-cafile=/etc/kubernetes/pki/etcd/ca.crt --etcd-certfile=/etc/kubernetes/pki/apiserver-etcd-client.crt --etcd-keyfile=/etc/kubernetes/pki/apiserver-etcd-client.key --etcd-servers=https://127.0.0.1:2379 --insecure-port=0 --kubelet-client-certificate=/etc/kubernetes/pki/apiserver-kubelet-client.crt --kubelet-client-key=/etc/kubernetes/pki/apiserver-kubelet-client.key --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname --proxy-client-cert-file=/etc/kubernetes/pki/front-proxy-client.crt --proxy-client-key-file=/etc/kubernetes/pki/front-proxy-client.key --requestheader-allowed-names=front-proxy-client --requestheader-client-ca-file=/etc/kubernetes/pki/front-proxy-ca.crt --requestheader-extra-headers-prefix=X-Remote-Extra- --requestheader-group-headers=X-Remote-Group --requestheader-username-headers=X-Remote-User --secure-port=6443 --service-account-key-file=/etc/kubernetes/pki/sa.pub --service-cluster-ip-range=10.96.0.0/12 --tls-cert-file=/etc/kubernetes/pki/apiserver.crt --tls-private-key-file=/etc/kubernetes/pki/apiserver.key

But now i have submitted a deployment without mentioning cpu,memory resource requests and limits as like below

kind: Deployment
apiVersion: apps/v1
metadata:
 name: kubia-dep
spec:
 replicas: 3
 selector:
  matchLabels:
   app: dev
 template:
  metadata:
    name: dep-spec
    labels:
     app: dev
  spec:
   containers:
   - name: kubia-dep-cn
     image: luksa/kubia:v2
[root@master manifests]# kubectl get po
NAME                         READY   STATUS                       RESTARTS   AGE
curl-custom-sa               2/2     Running                      0          4d2h
kubia-dep-74cb8b894c-47m96   1/1     Running                      0          14m
kubia-dep-74cb8b894c-gnzt8   1/1     Running                      0          14m
kubia-dep-74cb8b894c-h26nv   1/1     Running                      0          14m

But i'm seeing limitRanger plugin was applied by checking in kubectl describe po kubia-dep-74cb8b894c-47m96

Annotations:  kubernetes.io/limit-ranger:
                LimitRanger plugin set: cpu, memory request for container kubia-dep-cn; cpu, memory limit for container kubia-dep-cn
Containers:
  kubia-dep-cn:
    Container ID:   docker://d151dc4b589f70359587ebd594d1e40cc8797ae0be25527cc2b0e92bd2c20303
    Image:          luksa/kubia:v3
    Image ID:       docker-pullable://docker.io/luksa/kubia@sha256:bcae4c20b355376d86bb34db0c9637a2e72058db5a66af82c868a2cfdcb0ac80
    Port:           <none>
    Host Port:      <none>
    State:          Running
      Started:      Tue, 26 Nov 2019 23:33:57 +0530
    Ready:          True
    Restart Count:  0
    Limits:
      cpu:     200m
      memory:  100Mi
    Requests:
      cpu:        100m
      memory:     10Mi

So how LimitRanger plugin is enforced even after removed?Is there any additional steps we have to do for deforce this LimitRanger plugin? or removing directly from apiserver manifest file is not the proper way?

-- user10912187
kubernetes

2 Answers

12/12/2019

I was removed the LimitRanger admission plugin by edited the line --enable-admission-plugins= in kube-apiserver.yaml in /etc/kubernetes/manifests.

Have you tried --disable-admission-plugins ?

K8s documentation says that:

The Kubernetes API server flag disable-admission-plugins takes a comma-delimited list of admission control plugins to be disabled, even if they are in the list of plugins enabled by default.

kube-apiserver --disable-admission-plugins=PodNodeSelector,AlwaysDeny

To see which admission plugins are enabled:

kube-apiserver -h | grep enable-admission-plugins

In 1.16, plugins enabled by default are:

NamespaceLifecycle, LimitRanger, ServiceAccount, TaintNodesByCondition, Priority, DefaultTolerationSeconds, DefaultStorageClass, StorageObjectInUseProtection, PersistentVolumeClaimResize, MutatingAdmissionWebhook, ValidatingAdmissionWebhook, RuntimeClass, ResourceQuota
-- Nick
Source: StackOverflow

12/2/2019

Verify if a limitrange is active :

kubectl get limitranges

alse check if you have resourcequotas defined :

kubetcl get resourcequotas

-- EAT
Source: StackOverflow